Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah, I get your position (hopefully!), but I think I'd rather hear from a lawyer whether this is OK or not, my guess is that it is OK.

The snippet you pasted says also:

... regulatory, and/or business requirements

A business that is going out of business may treat this data as a business asset and may need to retain it for a certain period even when they are inactive.

Most terms of service do allow for transfer of account information to third parties, and have contingencies for what happens to the data if the company goes under, and as far as I'm aware, selling that customer data is an option unless they've explicitly said they won't.

As long as the credit card data is transferred in a PCI compliant way, it's legal.

You're absolutely right that it would be a serious violation if they were to charge someone without their knowledge, it doesn't look like that's happened yet.

It's also quite possible the underlying business entity is still Homejoy with a name change. ZenPayroll* didn't have to get people's permission to charge them when they changed their name to Gusto, but it obviously helps to communicate that change very clearly!

I am pretty sure we generally agree, though, it's very clear that there are dozens of egregiously bad things being done by Aaron and his team that can only hurt them and their desired future customers.

*I said Zenefits :( :(



Yeah, you don't need to be a lawyer to implement PCI-DSS. You are entirely missing the following dot point:

"Processes for secure deletion of data when no longer needed"

Those dot points aren't using a disjunction, they must ALL be followed. The standard is very, very clear on that point: once you don't need the data, you securely delete it.

That makes sense, incidentally. If you no longer have the data anywhere, then nobody can get to it even if they compromise your systems and gain access to your credit card lists.

If your company winds down and you no longer bill your customers, you are absolutely required by PCI-DSS (and good security practice!) to delete that data.

As for HomeJoy being the same legal entity, that's not the way that the email sent from HomeJoy reads. It says that Fly Maids is their partner, not the same organisation.

That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home.


I'm not entirely missing the point, but I don't know enough about the PCI-DSS to be too much of a contrarian here :)

Processes for secure deletion of data when no longer needed

Is "needed" defined anywhere?

As far as I can tell this requires companies to create a plan – that plan could be very different between companies.

I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?

Let me restate what I think you're saying though: When they shut down Homejoy, they should have immediately deleted all the data they had stored in Stripe (or what ever payment system they use)?

"That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home."

Totally agree, maybe let's leave it at that :)


Is "needed" defined anywhere?

Speechless!

I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?

No, Stripe would then be violating PCI-DSS themselves.


How could Stripe know if one of their users is out of business and should delete their data? I'm a bit confused (as you already know!)

Stripe has API calls to get the last four digits and expiration date.

Also, it's not clear that the /payments page isn't secure, the screenshot is of the Profile page.

*edit: see my reply to your other comment, didn't realize you were OP, so I will now assume you did check the payment form for security and it was not there, which is definitely even more shocking.


First, I want to apologise if my tone has been a bit off on a few of my replies.

Stripe is very unlikely to transfer credit card data to an entirely different organisation. They also require evidence of PCI compliance before they will do business with you.

As for knowing when your business is being dissolved: I have to refer you to their terms of service, found at https://stripe.com/us/terms

You agree to give us at least 30 days prior notification of your intent to change your current product or services types, your trade name, or the manner or types of payments you accept. You agree to provide us with prompt notification if you are the subject of any voluntary or involuntary bankruptcy or insolvency petition or proceeding. You also agree to promptly notify us of any adverse change in your financial condition, any planned or anticipated liquidation or substantial change in the basic nature of your business, any transfer or sale of 25% or more of your total assets or any change in the control or ownership of you or your parent entity. You will also notify us of any judgment, writ or warrant of attachment or execution, or levy against 25% or more of your total assets not later than 3 days after you obtain knowledge of it.

You are guessing, however, that they are using Stripe or another credit card provider to store that data. But given Stripe need to handle charge backs and other things, I can't see them not knowing about HomeJoy, given how public the windup was.


Yep this all makes sense. I still think there's a chance it wasn't transferred at all. Since the founder of Homejoy runs the new site it could be that they're still the same entity and business with the same stripe account. Maybe this has its own implications.

Unfortunately it sounds like the worst case for them is that enough people report them to their payment provider and they get fined. Clearly what they face there is probably not worse than the huge violation of trust their former customers will feel.

By the way thanks for digging into this so much. The Stripe TOS are darn clear here.


:-) if you hadn't asked a lot of questions, I wouldn't have dug in!


Nitpick: Actually it was ZenPayroll that changed their name to Gusto. Zenefits is definitely still Zenefits.


You're right! Sorry about that.

Obviously, I am a huge fan of nit picking, so it's always welcomed :)


Nit picking is fine. I think I was a little bit unfair in my tone towards you in a few of my comments, for which I apologise!


No. I opened this up with a contrarian tone, you were completely civil. Thanks for that!


get a room you two ;)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: